Thursday, December 3, 2015

Reconnaissance

Reconnaissance:
Reconnaissance is the first phase of the cyber exploitation life cycle.
In this phase, hackers focus on collect as much information about the target without getting detected.
1)      Collect Elementary Information:
a.      What is the website look like
b.      What web server are they using
c.      Where are they physically located
d.      Officers of the company
e.      When was the company founded
f.       Where do they start from?
g.      Who is providing the hosting service
h.      No. of offices the company has
2)      Discover OS, Web Servers & Platforms:
a.      What operating system is running in the system exposed
b.      What web server they are using? E.g. apache, ISS etc.
c.      What version they are using
3)      Perform Queries:
a.      Whois
b.      DNS information
c.      Underlying networking information
d.      Routers they are using
e.      Employees Information for social engineering
4)      Discover Vulnerabilities:
a.      Possible vulnerabilities
Why Reconnaissance?
1)      It helps us to understand the security posture of any company. Understand the network infrastructure of the target company as in exposed and possibly internal IP address, what is behind the firewall, which version of DMZ they use etc.
2)      Helps in reducing the attack area. I.e. focused domains, IP address, ports etc.
3)      Helps in building information database to keep track of attack vectors etc.
4)      Layout a network map.
5)      It makes the job easier in the long run
Types of recon:
1)      Passive scanning: Using public available sources to determine as much information about the target e.g. IP address, OS, web servers, services open, access control, IDS etc.
2)      Active Recon: Touching the target e.g. Going to job interview, social engineering, walking through the building
3)      Anonymous: Getting information from unknown/third party sources.
4)      Organization/private: Process of getting info from event calendar, email services etc.,
5)      Internet recon: Using internet sources like passive. Use google to reconnaissance their website etc.
6)      Pseudonymous: Collecting info. From sources that are published but not direct from the employee or company e.g. Government etc.

Goals of Reconnaissance:
1)      What am I looking for:
a.      Network information
                                                    i.     Domain names: child domains etc.
                                                   ii.     Internal domains etc. like .net, .com so .com is used outside but .net internally
                                                  iii.     IP addresses
                                                  iv.     Unmonitored/private websites
                                                   v.     TCP/UDP services
                                                  vi.     IDS/Access controls
                                                vii.     VPN info
                                               viii.     Phone numbers/VoIP
b.      Operating system info.
                                                    i.     User & group names: like how they do system naming
                                                   ii.     Banner grabbing
                                                  iii.     Routing tables how packets are getting router
                                                  iv.     SNMP
                                                   v.     System architecture
                                                  vi.     Remote Systems
                                                vii.     System names like if the name of one of the server is from stars we can try to identify others
                                               viii.     Passwords length etc.
c.      Organization Information
                                                    i.     Organization website
                                                   ii.     Company directory
                                                  iii.     Employee details
                                                  iv.     Location details
                                                   v.     Addresses/Phone Numbers
                                                  vi.     Comments in HTML source code
                                                vii.     Security Policies deployed
                                               viii.     Web server links i.e. Partnering company
                                                  ix.     Background of organization
                                                   x.     News/press releases
Once we get the information, hackers try to create a blueprint of the organization. This helps in identifying the different point of entries to the organization etc.

Tools Used for Reconnaissance:
1)      WinHTTrack (Website Copier)
2)      Webmaster toolkit (Link Extractor)
3)      Whois
4)      Ping
5)      Nslookup
6)      Netstat
7)      Tracert
8)      Netcraft
9)      Wayback machine
10)   PoliteMail
11)   Email Lookup
12)  Nmap
13) Vulnerability Scanners like Nessus, Nexpose etc.
14) Sniffers like Wireshark, Ettercap etc.
15) Packet Crafters like Netcat, Hping etc.